GRCWatch
Sign inStart free trial

CIS Control 16.5: Use Up-to-Date and Trusted Third-Party Components

Third-party libraries and frameworks power modern applications—but outdated or vulnerable components expose your organization to preventable breaches. CIS Control 16.5 requires you to actively vet, maintain, and monitor dependencies to eliminate known security gaps before attackers can exploit them.

What this means

This control requires your organization to use only vetted, trusted third-party libraries and frameworks as the foundation for web and mobile applications. You must establish a process to select components with strong update histories, actively maintain them to patch known vulnerabilities, and continuously monitor for newly disclosed security issues. The goal is to minimize your attack surface by preventing known exploits from being introduced through the software supply chain.

How to comply

  1. 1.Create a software component approval policy that defines criteria for acceptable third-party libraries (maturity, active maintenance, security track record).
  2. 2.Maintain a software bill of materials (SBOM) that documents all third-party components, versions, and licenses used in each application.
  3. 3.Scan all dependencies regularly using vulnerability databases (NVD, GitHub Advisories, Snyk) to identify known CVEs.
  4. 4.Establish update schedules for production and non-production environments, prioritizing critical and high-severity patches.
  5. 5.Automate dependency updates where possible using tools like Dependabot or Renovate to reduce manual overhead.
  6. 6.Document the rationale for delayed updates on high-risk components and implement compensating controls.
  7. 7.Monitor vendor security advisories and apply patches within 30 days of release (or sooner for critical vulnerabilities).
  8. 8.Audit third-party component usage quarterly to identify unused libraries and remove technical debt.

Evidence auditors look for

  • Software bill of materials (SBOM) listing all dependencies, versions, and last-updated dates.
  • Vulnerability scan reports showing zero critical/high unpatched CVEs in current production deployments.
  • Component approval policy and vendor evaluation checklist used during architecture decisions.
  • Dependency update logs showing patch application within SLA timeframes.
  • Automated dependency scanning tool configuration (e.g., GitHub Advanced Security, Snyk, WhiteSource).
  • License compliance report confirming all third-party components meet organizational policies.
  • Security advisory subscription confirmations from vendors and open-source maintainers.
  • Change logs documenting component version upgrades and security patches applied.

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates continuous scanning of your software dependencies against known vulnerability databases and generates compliance evidence showing timely patches—eliminating manual inventory reviews and reducing the time spent on third-party component audits.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Control 2.1: Address Unauthorized SoftwareCIS Control 3.12: Segment and Isolate DataNIST SP 800-53 SA-3: System Development Life CycleNIST SP 800-53 SA-12: Supply Chain Risk ManagementISO 27001 A.14.1.1: Information Security Requirements